Is it possible to setup a reverse proxy that would allow a database client to use a ssl port 443 connection and redirect to port 1521? I suspect it would not work. Can someone explain why or why not?
I'm assuming Oracle database based on port 1521.
There is no problem setting up Nginx TCP (L4) proxy for any TCP backend. Look here https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/ for example configuration.
When it comes to terminating SSL (L5) and sending data decrypted to TCP backend it's also technically possible with ngx_stream_ssl_module but I have never tested it and from what I can read people have problems setting this up for postgresql:
http://nginx.org/en/docs/stream/ngx_stream_ssl_module.html
Can nginx do TCP load balance with SSL termination
I have never seen Nginx setup as proxy for databases. Instead connection poolers (i.e. pgbouncer for postgresql) are often used not only for pooling but also as SSL offloading service. They are in fact L7 proxies for databases.
Oracle equivalent for pgbouncer seems to be Oracle Connection Manager and it supports SSL so I'd strongly recommend using it instead of Nginx or any other general purpose reverse proxy server:
https://docs.oracle.com/en/database/oracle/oracle-database/18/netag/configuring-oracle-connection-manager.html#GUID-AF8A511E-9AE6-4F4D-8E58-F28BC53F64E4
Related
I've been looking at possible ways to run a Minecraft server behind a reverse proxy on NGINX with a IP/location/to/server (e.g. 127.0.0.1/minecraft-server) connection, but the only information that I've found is to either use a SRV DNS record, or to use a stream proxy (but no further information is included about this possibility, or it does not provide a NGINX location config).
I need to use a NGINX reverse proxy as ports 80 and 443 will be the only ports that will be open externally via our provider (HTTP/S servers only allowed, they can't be used for anything else and the connection will be managed by administrators), and I don't have a domain. I can get one and a SSL certificate if that's all that's needed in order to be able to do this.
I know Minecraft runs on a TCP or UDP connection, and that's part of the reason why this is not an easy task, but since this is the only way I can possibly have future external access to my Minecraft Server (self hosted), I need a way to run the connection through an HTTP reverse proxy.
Is there any way to do this through NGINX or NGINX+other software?
Thank you in advance.
Basically what I'm trying to do is have a secure websocket connection start life at a client, go through nginx where nginx would terminate the tls, and instead of just proxying the websocket connection to a server, have nginx handle the websocket upgrade and just send the socket stream data to a tcp server or a unix domain socket.
Is that possible with the existing nginx modules and configuration?
proxy_pass can connect to a server via a unix domain socket
proxy_pass http://unix:/tmp/backend.socket:/uri/;
But the implication is that it still speaks http over the unix domain socket and the server is responsible for handling the websocket upgrade. I'm trying to get nginx to do the upgrading so that only the raw socket stream data gets to my server.
Sorta like a mix between proxy_pass and fastcgi_pass.
Do I have to modify one of these modules to make that possible or is there some way to configure this to work?
So what I eventually came to realize is that proxies just proxy and don't parse protocols. There's nothing built into nginx (although mod_ws in apache might do it) that can actually process the websockets protocol, the nginx proxy function just forwards the stream to the back end server. I'm working on another approach for this as the hope of having the webserver do the heavy lifting is not going to work easily.
I am running Rethinkdb on a server that lays behind cloudflare. I cannot make connection with my server when using my hostname. (I can access other stuff on my server so i am almost sure the problem doesn't lies there)
I am also able to connect using my ip directly (without adding a cert to the .connect function of rethinkdb client)
I do use Nginx and my client is in java
What i have tried:
Using custom set ports (that were said to be open on cloudflare)
trying proxying location to certain port
Using a cert (Rethink client side)
I couldn't find any information about Rethinkdb behind CloudFlare, so i am open to any suggestions
If i need to post more information please ask, i'm not sure what i should share...
This is not a RethinkDB issue. Cloudflare only supports specific ports, as spelled out here:
https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-
80
8080
8880
2052
2082
2086
2095
And all traffic must be HTTP sessions. RethinkDB communicates via raw TCP sockets. You cannot run it behind Cloudflare.
The question is about HTTP vs HTTPS.
If I want to anonymously load a website that forces HTTPS, like Google.com, do I need an HTTPS proxies, or can I get away with HTTP proxies?
If your proxy is SOCKS it will not care what kind of socket is connecting through it. It has its own handshake and it does not care about what happens after the handshake. Whether after the SOCKS handshake an SSL handshake (HTTPS) is started it is not a SOCKS proxy problem, it will just pass through.
Several HTTP proxies on the other hand expect HTTP headers to guide them, such a HTTP proxy will not allow HTTPS since it needs to read the headers.
On the third hand (ekhm... well, foot?), an HTTP proxy that supports HTTP CONNECT can also setup the transfer of arbitrary data. Therefore such a proxy can setup any type of socket, which can have an SSL handshake, which can then be used for HTTPS transfer.
HTTP Proxy Server supports CONNECT verb which supports HTTPS connections within HTTP Proxy. You don't need special HTTPS proxy server or any other setup.
CONNECT verb allows you to create binary socket tunnel to any given IP:Port address. So any HTTP client (all browsers), will open secure tunnel and communicate securely over proxy server. However, no one cant control or see anything that is going through the tunnel unless they implement man in middle attack by sending you self-signed certificates.
Most firewall these days automatically implement man in middle self signed certificates that are deployed in work network, so you have to probably dig more to identify whether it is really secure or not. So it may not be that anonymous.
If you're trying to access a service anonymously, you won't get this by running your own proxy. It's not clear from the original question what is meant by "proxy", e.g. local service, or remote service. You won't get anonymity by surfing through a proxy that's on your network, unless it's something like a TOR proxy which relays out through the TOR network.
As for whether proxies can support HTTPS or not, that's been covered here, it would be unusual to find a proxy that doesn't support CONNECT. However if it's a remote anonymizing service you're using, I doubt they would do MitM, since you'd need to install the signing cert into your trusted root store, so they couldn't do that surreptitiously.
Theres a server in a customer that runs a nginx, a salt master daemon from saltstack and a secret web app that does secret things.
Considerations:
In this scenario, theres only one ip, only one server and multiple DNS records available;
I have nginx running in port 80;
And salt master running in 6453;
A domain.example.com binding to that IP, exposing my nginx 80 port, that points to the secret webapp;
otherdomain.example.com binding to the same IP, exposing my nginx 80 port, that I want to use to proxy salt port.
That customer has a machine in other place, that does need to connect to the salt and the internet connection is provided by a secret organization and they only allow connections to port 80, no negotiation possible.
My question:
Is possible to use nginx to redirect the otherdomain.example.com 80 port to the 6453 port? I tried the following:
server {
listen 80;
server_name otherdomain.example.com;
proxy_pass 127.0.0.1:6453;
}
But that doesn't work as expected. It is possible? There's some way to do this using nginx?
The error I got from log was:
"proxy_pass" directive is not allowed here
proxy_pass needs to be specified within a location context, and is fundamentally a Web Thing. It only comes into play after the web headers are sent and interpreted.
Things like what you're trying to accomplish are commonly done using HAProxy in tcp mode, although there is a tcp proxy module that also does similar things.
However, I don't think you're going to be very successful, as ZMQ does not participate in the protocol (HTTP Host: headers) that easily allows you to tell the web requests apart from the non-web requests (that come in on the same port).
My recommendation is to either find some way to use another port for this, a second IP address, or write a tricky TCP proxier that'll identify incoming HTTP and/or ZMQ connections and transparently forward them to the correct local port.